diff --git a/policy/modules.conf b/policy/modules.conf
index 5a772d5eba..67c4c42f1c 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -1086,6 +1086,13 @@ glusterd = module
#
gnome = module
+# Layer: apps
+# Module: gnome_remote_desktop
+#
+# gnome-remote-desktop
+#
+gnome_remote_desktop = module
+
# Layer: apps
# Module: gpg
#
diff --git a/policy/modules/contrib/bootupd.te b/policy/modules/contrib/bootupd.te
index f4fb56f610..f86ed6efed 100644
--- a/policy/modules/contrib/bootupd.te
+++ b/policy/modules/contrib/bootupd.te
@@ -20,7 +20,7 @@ files_pid_file(bootupd_var_run_t)
# bootupd local policy
#
allow bootupd_t self:capability { setgid setuid };
-allow bootupd_t self:process { fork setpgid };
+allow bootupd_t self:process { fork setfscreate setpgid };
allow bootupd_t self:fifo_file rw_fifo_file_perms;
allow bootupd_t self:unix_dgram_socket create_socket_perms;
allow bootupd_t self:unix_stream_socket create_stream_socket_perms;
@@ -46,6 +46,8 @@ fs_manage_dos_dirs(bootupd_t)
fs_manage_dos_files(bootupd_t)
fs_search_efivarfs_dirs(bootupd_t)
+storage_getattr_fixed_disk_dev(bootupd_t)
+
optional_policy(`
bootloader_domtrans(bootupd_t)
')
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index b12ce7b587..789b59c995 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -411,3 +411,7 @@ allow session_bus_type dbusd_unconfined:dbus send_msg;
kernel_stream_connect(session_bus_type)
systemd_login_read_pid_files(session_bus_type)
+
+optional_policy(`
+ gnome_remote_desktop_rw_tcp_sockets(system_dbusd_t)
+')
diff --git a/policy/modules/contrib/gnome_remote_desktop.fc b/policy/modules/contrib/gnome_remote_desktop.fc
new file mode 100644
index 0000000000..fcb60f6808
--- /dev/null
+++ b/policy/modules/contrib/gnome_remote_desktop.fc
@@ -0,0 +1,3 @@
+/usr/libexec/gnome-remote-desktop-daemon -- gen_context(system_u:object_r:gnome_remote_desktop_exec_t,s0)
+
+/var/lib/gnome-remote-desktop(/.*)? gen_context(system_u:object_r:gnome_remote_desktop_var_lib_t,s0)
diff --git a/policy/modules/contrib/gnome_remote_desktop.if b/policy/modules/contrib/gnome_remote_desktop.if
new file mode 100644
index 0000000000..68f7986ed0
--- /dev/null
+++ b/policy/modules/contrib/gnome_remote_desktop.if
@@ -0,0 +1,178 @@
+
+## policy for gnome_remote_desktop
+
+########################################
+##
+## Execute gnome_remote_desktop_exec_t in the gnome_remote_desktop domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gnome_remote_desktop_domtrans',`
+ gen_require(`
+ type gnome_remote_desktop_t, gnome_remote_desktop_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gnome_remote_desktop_exec_t, gnome_remote_desktop_t)
+')
+
+######################################
+##
+## Execute gnome_remote_desktop in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_remote_desktop_exec',`
+ gen_require(`
+ type gnome_remote_desktop_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, gnome_remote_desktop_exec_t)
+')
+
+########################################
+##
+## Search gnome_remote_desktop lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_remote_desktop_search_lib',`
+ gen_require(`
+ type gnome_remote_desktop_var_lib_t;
+ ')
+
+ allow $1 gnome_remote_desktop_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read gnome_remote_desktop lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_remote_desktop_read_lib_files',`
+ gen_require(`
+ type gnome_remote_desktop_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
+')
+
+########################################
+##
+## Manage gnome_remote_desktop lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_remote_desktop_manage_lib_files',`
+ gen_require(`
+ type gnome_remote_desktop_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
+')
+
+########################################
+##
+## Manage gnome_remote_desktop lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_remote_desktop_manage_lib_dirs',`
+ gen_require(`
+ type gnome_remote_desktop_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an gnome_remote_desktop environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`gnome_remote_desktop_admin',`
+ gen_require(`
+ type gnome_remote_desktop_t;
+ type gnome_remote_desktop_var_lib_t;
+ ')
+
+ allow $1 gnome_remote_desktop_t:process { signal_perms };
+ ps_process_pattern($1, gnome_remote_desktop_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 gnome_remote_desktop_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, gnome_remote_desktop_var_lib_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+##
+## Read and write to TCP socket
+##
+##
+##
+## Allow the specified domain to read and write to
+## gnome_remote_desktop_port_t TCP socket
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_remote_desktop_rw_tcp_sockets', `
+ gen_require(`
+ type gnome_remote_desktop_t;
+ ')
+
+ allow $1 gnome_remote_desktop_t:tcp_socket rw_socket_perms;
+')
diff --git a/policy/modules/contrib/gnome_remote_desktop.te b/policy/modules/contrib/gnome_remote_desktop.te
new file mode 100644
index 0000000000..e3d0514bea
--- /dev/null
+++ b/policy/modules/contrib/gnome_remote_desktop.te
@@ -0,0 +1,73 @@
+policy_module(gnome_remote_desktop, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gnome_remote_desktop_t;
+type gnome_remote_desktop_exec_t;
+domain_type(gnome_remote_desktop_t)
+domain_entry_file(gnome_remote_desktop_t, gnome_remote_desktop_exec_t)
+role system_r types gnome_remote_desktop_t;
+
+permissive gnome_remote_desktop_t;
+
+type gnome_remote_desktop_var_lib_t;
+files_type(gnome_remote_desktop_var_lib_t)
+
+########################################
+#
+# gnome_remote_desktop local policy
+#
+
+kernel_dgram_send(gnome_remote_desktop_t)
+
+manage_dirs_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
+manage_files_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
+manage_lnk_files_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
+files_var_lib_filetrans(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, { dir file lnk_file })
+
+#============= gnome_remote_desktop_t ==============
+corenet_tcp_bind_gnome_remote_desktop_port(gnome_remote_desktop_t)
+allow gnome_remote_desktop_t self:tcp_socket create_stream_socket_perms;
+allow gnome_remote_desktop_t self:unix_dgram_socket create_socket_perms;
+
+domain_use_interactive_fds(gnome_remote_desktop_t)
+
+files_read_etc_files(gnome_remote_desktop_t)
+
+corenet_tcp_bind_generic_node(gnome_remote_desktop_t)
+dev_read_sysfs(gnome_remote_desktop_t)
+files_watch_usr_dirs(gnome_remote_desktop_t)
+fs_getattr_cgroup(gnome_remote_desktop_t)
+fs_getattr_xattr_fs(gnome_remote_desktop_t)
+init_read_state(gnome_remote_desktop_t)
+
+optional_policy(`
+ dbus_system_domain(gnome_remote_desktop_t, gnome_remote_desktop_exec_t)
+')
+
+optional_policy(`
+ kerberos_read_config(gnome_remote_desktop_t)
+')
+
+optional_policy(`
+ logging_write_syslog_pid_socket(gnome_remote_desktop_t)
+')
+
+optional_policy(`
+ miscfiles_read_certs(gnome_remote_desktop_t)
+ miscfiles_read_localization(gnome_remote_desktop_t)
+')
+
+optional_policy(`
+ systemd_login_list_pid_dirs(gnome_remote_desktop_t)
+ systemd_login_read_pid_files(gnome_remote_desktop_t)
+ systemd_read_logind_sessions_files(gnome_remote_desktop_t)
+')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(gnome_remote_desktop_t)
+ xserver_read_xdm_state(gnome_remote_desktop_t)
+')
diff --git a/policy/modules/contrib/sandboxX.te b/policy/modules/contrib/sandboxX.te
index a9b560db05..dae6fa9b1c 100644
--- a/policy/modules/contrib/sandboxX.te
+++ b/policy/modules/contrib/sandboxX.te
@@ -65,7 +65,10 @@ manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xs
manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+allow sandbox_xserver_t sandbox_xserver_tmpfs_t:file map;
+
kernel_dontaudit_request_load_module(sandbox_xserver_t)
+kernel_read_device_sysctls(sandbox_xserver_t)
kernel_read_system_state(sandbox_xserver_t)
corecmd_exec_bin(sandbox_xserver_t)
@@ -93,6 +96,7 @@ domain_use_interactive_fds(sandbox_xserver_t)
files_read_config_files(sandbox_xserver_t)
files_search_home(sandbox_xserver_t)
fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+fs_getattr_xattr_fs(sandbox_xserver_t)
fs_search_auto_mountpoints(sandbox_xserver_t)
miscfiles_read_fonts(sandbox_xserver_t)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 6a7ab05fcb..5507fa37d3 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -2009,6 +2009,8 @@ dev_write_sysfs_dirs(virtnodedevd_t)
files_map_var_lib_files(virtnodedevd_t)
files_watch_etc_dirs(virtnodedevd_t)
+files_etc_filetrans_mdevctl_conf(virtnodedevd_t)
+files_manage_mdevctl_conf_files(virtnodedevd_t)
miscfiles_read_hwdata(virtnodedevd_t)
@@ -2334,11 +2336,16 @@ manage_files_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t)
manage_lnk_files_pattern(virtstoraged_t, virt_etc_rw_t, virt_etc_rw_t)
+kernel_get_sysvipc_info(virtstoraged_t)
kernel_io_uring_use(virtstoraged_t)
corecmd_exec_bin(virtstoraged_t)
fs_getattr_all_fs(virtstoraged_t)
+fs_getattr_configfs_dirs(virtstoraged_t)
+
+storage_raw_read_fixed_disk(virtstoraged_t)
+storage_raw_write_fixed_disk(virtstoraged_t)
userdom_read_user_home_content_files(virtstoraged_t)
@@ -2346,10 +2353,22 @@ optional_policy(`
dnsmasq_filetrans_named_content_fromdir(virtstoraged_t, virtstoraged_var_run_t)
')
+optional_policy(`
+ fstools_domtrans(virtstoraged_t)
+')
+
optional_policy(`
lvm_domtrans(virtstoraged_t)
')
+optional_policy(`
+ mount_domtrans(virtstoraged_t)
+')
+
+optional_policy(`
+ udev_domtrans(virtstoraged_t)
+')
+
#######################################
#
# virtvboxd local policy
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index c570c29078..c88d967c08 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -186,6 +186,7 @@ network_port(git, tcp,9418,s0, udp,9418,s0)
network_port(glance, tcp,9292,s0, udp,9292,s0)
network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0)
+network_port(gnome_remote_desktop, tcp,3389-3399,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 13920e5839..249ee19e6f 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -60,6 +60,7 @@ ifdef(`distro_suse',`
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mdevctl\.d(/.*) gen_context(system_u:object_r:mdevctl_conf_t,s0)
/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 17bba804e8..a3be7f1655 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6065,6 +6065,43 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
+#######################################
+##
+## Manage mdevctl configuration files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_mdevctl_conf_files',`
+ gen_require(`
+ type mdevctl_conf_t;
+ ')
+
+ files_search_etc(mdevctl_conf_t)
+ manage_files_pattern($1, mdevctl_conf_t, mdevctl_conf_t)
+')
+
+###################################
+##
+## Create /etc/mdevctl.d with the correct type
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_etc_filetrans_mdevctl_conf',`
+ gen_require(`
+ type etc_t, mdevctl_conf_t;
+ ')
+
+ filetrans_pattern($1, etc_t, mdevctl_conf_t, dir, "mdevctl.d")
+')
+
#######################################
##
## Read manageable system configuration files in /etc
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 7cd4518545..926441521c 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -80,6 +80,10 @@ files_ro_base_file(system_conf_t)
# compatibility aliases for removed type:
typealias system_conf_t alias iptables_conf_t;
+# mdevctl_conf_t is a type for files in /etc/mdevctl.d
+type mdevctl_conf_t, configfile;
+files_type(mdevctl_conf_t)
+
# system_db_t is a new type of various
# db files.
type system_db_t;
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index ddf32d8c85..5a874c341f 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2062,6 +2062,24 @@ interface(`fs_dontaudit_write_configfs_dirs',`
dontaudit $1 configfs_t:dir write;
')
+#######################################
+##
+## Getattr dirs on a configfs filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_getattr_configfs_dirs',`
+ gen_require(`
+ type configfs_t;
+ ')
+
+ allow $1 configfs_t:dir getattr;
+')
+
#######################################
##
## Read dirs
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 38127f2fc5..a5aa4a871b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1862,3 +1862,9 @@ tunable_policy(`selinuxuser_direct_dri_enabled',`
',`
dev_dontaudit_rw_dri(dridomain)
')
+
+#============= xdm_t ==============
+optional_policy(`
+ gnome_remote_desktop_rw_tcp_sockets(xdm_t)
+ dev_rw_dma_dev(xdm_t)
+')
diff --git a/policy/users b/policy/users
index e12211daf8..1c16e2bdba 100644
--- a/policy/users
+++ b/policy/users
@@ -24,8 +24,8 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
-gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(user_u, user, user_r, s0, s0)
+gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
@@ -35,4 +35,7 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
-gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)